Usage

Generating commands use a leading pipe character and should be the first command in a search.

You can use this command with the eval command to generate an empty result for the eval command to operate on. See the Examples section.

Order-sensitive processors might fail if the internal _time field is absent.

Specifying server and server groups

If you use Splunk Cloud, omit any server or server group argument.

If you are using Splunk Enterprise, by default results are generated only on the originating search head, which is equivalent to specifying splunk_server=local. If you provide a specific splunk_server or splunk_server_group, then the number of results you specify with the count argument are generated on the all servers or server groups that you specify.

If you specify a server, the results are generated for that server, regardless of the server group that the server is associated with.

If you specify a count of 5 and you target 3 servers, then you will generate 15 total results. If annotate=true, the names for each server appear in the splunk_server column. This column will show that each server produced 5 results.

Examples

1. Create a result as an input into the eval command

Sometimes you want to use the eval command as the first command in a search. However, the eval command expects events as inputs. You can create a dummy event at the beginning of a search by using the makeresults command. You can then use the eval command in your search.

| makeresults | eval newfield="avalue"

2. Determine if the modified time of an event is greater than the relative time

For events with the field scheduled_time that is in Unix Epoch time, determine if the scheduled time is greater than the relative time. The relative time is 1 minute before now. This search uses a subsearch that starts with the makeresults command.

Comments

Heads up - in Splunk Enteprise 6.5, if you're using "makeresults" and you click the "learn more" link for make results, it drops you at the Admin Manual homepage. It should instead send them to this docs page.

Sideview

November 1, 2016

Woodcock - I have added gentimes to the See also section. I did not add makeresults, as that would create a circular link.

Lstewart splunk, Splunker

July 19, 2016

This should reference "makeresults" in the "see also" section.

Woodcock

July 18, 2016

This should reference "gentimes" in the "see also" section.

Woodcock

July 18, 2016

Woodcock and Mueller - I updated the examples based on your comments and input from one of our lead engineers (CPride).

Lstewart splunk, Splunker

December 15, 2015

Your first example is missing a leading pipe ("|") character.

Woodcock

December 5, 2015

If someone confuses the greater than for an output redirect, switching to less than will make them confuse it for an input redirect.

Besides, use _index_earliest=-m instead ;p

Martin mueller

December 5, 2015

The last example makes it appear that the greater-than sign is a piping character I would use parentheses and switch to lesser-than to avoid this confusion:

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »